Hacking of Utah Health Insurance Exchange Raises Security Questions

Other states may want to review security plans for their own health insurance exchanges.

With the news that the Utah health exchange -- one of just two state-run online insurance marketplaces in operation -- was recently hacked, states planning their own exchanges as prompted by the Affordable Care Act (ACA) might want to take a closer look at how they’ll handle cybersecurity.

The exchanges will hold digital records of a potential minefield of personal information -- Social Security numbers, federal tax and income data and more. To gain approval from the U.S. Department of Health and Human Services (HHS) for their exchange, states must prove they meet five provisions related to privacy and security.

In short, the federal guidance for applications, which are due Nov. 16, requires that states provide “adequate safeguards” to protect personal information on the exchange. States must also secure a letter of acceptance from the IRS, affirming that they're capable of protecting federal tax information, which will be used to determine eligibility for Medicaid and tax subsidies on the exchanges.

According to the exchange rules, “Personally identifiable information should be protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.”

States must comply with the federal Health Insurance Portability and Accountability Act (HIPAA), as well as the standards set out in the ACA, but they do have significant leeway in how they meet those parameters.

For example, Rhode Island (which is viewed as a case study for exchange planning) will require the company building the digital infrastructure for its exchange to hire a security manager. The vendors must also purchase an insurance policy that would cover up to $1 million in damages for any security failure.

California, which sent out its request for proposals for the exchange in January, is requiring its vendors to sign a confidentiality agreement. Broadly speaking, the California outline for its exchange says that its software vendors “should leverage government, industry and federally funded academic research on security, privacy and continuity of operations, with a strong link to available and emerging products and solutions.”

California is also requiring that the exchange be able to verify users’ identities with state agencies, such as the Department of Motor Vehicles, before allowing them to access confidential information. The software must also include layered firewalls and data encryption to protect the data in the exchange.

Utah officials stressed that no personal information was at risk during the hacking, which took place three weeks ago, according to the Salt Lake Tribune. Only informational pages, which outline insurance options available to consumers, were affected. State officials portrayed the breach as a “pure act of graffiti. Words were garbled, headlines were blurred.”

It wasn’t the first time that the state’s health sector had been compromised. Back in April, the state’s Medicaid database was breached, with hackers gaining access to the Social Security numbers of as many as 280,000 Utah residents. Less sensitive information, such as names and birth dates, for about 500,000 others was also exposed, according to the Tribune.

With an increasing push to digitize medical information, data breaches are one of the risks. As Kaiser Health News reported in June, HHS has received more than 22,000 complaints about privacy violations since HIPAA was enacted in 2003. Some of the largest breaches (which usually involve private health-care providers) compromised the information of millions of individuals.

“Strong privacy and security rules are crucial to the success of the new health insurance exchanges,” wrote Kate Black of the Center for Democracy and Technology, a nonprofit that advocates for Internet freedom. “If adequate privacy rules and security safeguards do not protect the information collected by exchanges, individuals will not have sufficient trust in an exchange to take advantage of its benefits.”

Dylan Scott (@DylanLScott) graduated from the E.W. Scripps School of Journalism at Ohio University in 2010. While there, he won an Associated Press award for Best Investigative Reporting for a series of stories on the university’s structural deficit. He then worked at the Las Vegas Sun and Center for Education Reform before joining Governing. He has reported on the Supreme Court’s consideration of the Affordable Care Act and various education reform movements in state and local government. When out of the office, Dylan spends his time watching classic films and reading fantasy fiction (most recently: A Song of Ice and Fire by George R.R. Martin).